Method And System For Restricting Access To User Resources

ABSTRACT

A user&#39;s set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS), which controls access to a walled garden. The walled garden contains links to one or more servers providing network-based services. The client sends a request to the WGPS to access a service provided by a site in the garden. To provide the service, the site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The ACL is a bit-map that specifies which functions of the client&#39;s API can be invoked by code from the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. The shell uses the ACL to determine whether the code has permission to execute any called functions in the API. If the code lacks permission, the shell stops execution and sends a message to the site indicating that the site lacks permission. Otherwise, the shell allows the code to call the function.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.10/836,544 filed on Apr. 30, 2004, which is a continuation of U.S. Pat.No. 6,732,179 filed on Oct. 26, 1999, which is a continuation-in-part ofU.S. Pat. No. 6,370,571 filed on Mar. 5, 1997; and is related to U.S.Pat. No. 6,678,733, filed on Oct. 26, 1999, the entire contents of eachbeing hereby incorporated by reference herein.

BACKGROUND

1. Field of the Invention

This invention pertains in general to high-speed data networks and inparticular to a system and method for restricting access by servers onthe network to resources available on user computer systems.

2. Background of the Invention

Cable television service is usually sold as a subscription to one ormore “tiers” of channels. Typically, a basic cable subscription allowsaccess to a small tier of channels and is sold for a relatively lowsubscription fee. The subscriber can purchase additional tiers of cablechannels for additional fees.

In most cable systems, the subscriber uses a “set-top box” (STB) toaccess the cable channels. The STB contains a microprocessor and otherhardware for tuning and descrambling channels in the tiers to which thesubscriber has access. The STB may also enable other services, such aspay-per-view or digital music reception in return for additional fees.

In recent years, the STB has incorporated a cable modem that enablesaccess to Internet- and World Wide Web—(“the web”) based resources viathe cable infrastructure. A cable modem typically has at least oneassigned Internet Protocol (IP) address and is managed by an InternetService Provider (ISP). The ISP inserts and extracts Internet traffic toand from the cable infrastructure and distributes it to the cable modemhaving the given IP address or the Internet, as appropriate.

U.S. Pat. No. 6,678,733 discloses a walled garden accessible to STBusers who are customers of the ISP. Application servers within thewalled garden provide services to the users, including, for example,access to electronic content, access to electronic commerce services,and any other functionality that can be provided electronically via anetwork. The users can subscribe to one or more of the services in thewalled garden either individually or as part of a tier. U.S. Pat. No.6,678,733 discloses a way to restrict users to only those services inthe walled garden to which the users are entitled to access.

The walled garden application servers may desire or need to accessfeatures of the users' STBs in order to provide certain services. Forexample, an application server may need to generate text or controls ona user's television display, change the channel to which the STB istuned, print a receipt on a printer coupled to the STB, or complete afee transaction using an electronic wallet stored in the STB.

The ISP would prefer to limit the features on the users' STBs to whichthe application servers have access, typically to generate revenue andenhance security. For example, the ISP may desire to charge a fee forletting an application server change the channel to which the user's STBis tuned or conduct an electronic commerce transaction using theelectronic wallet. Likewise, the ISP would like to limit the abilitiesof the application server to ensure that a misbehaving or compromisedapplication server cannot act maliciously toward a user's STB.

Accordingly, there is a need for a way to restrict the features of auser's STB that can be accessed and utilized by an application serverwithin the walled garden. Preferably, the solution to this need willrestrict the features at a fine grain, thereby allowing an applicationserver to access only those features which are necessary to provide theservice sought by the user.

SUMMARY OF THE INVENTION

The above needs are met by a method and system that passes an accesscontrol list (ACL) to the set top box (STB), or other form of client,indicating which functions in the client can be called by a walledgarden site. A client is coupled to a television set, computer system,or other device having a display. The client preferably contains acentral processing unit, a memory, a television tuner, and a cablemodem. The client also preferably contains a video subsystem forgenerating images on the display and an input for accepting commandsfrom the user.

The client preferably executes software supporting standard web browsingfunctionality. In one embodiment, the client executes the Windows CEoperating system. Programs executing on the operating system include ahypertext markup language (HTML) rendering engine, a JAVA virtualmachine for executing JAVA programs, and other controls supporting webbrowsing functionality. A shell program also preferably executes on theoperating system and generates a user interface on the display. Theshell program controls access to sets of application program interfaces(APIs) for providing functionality at the client. For example, the APIsinclude functions allowing a program to change the channel, access anelectronic program guide held by the client, instantiate user interface(UI) elements, and access an electronic walled held by the client.

The cable modem is preferably coupled to a coaxial cable and supportsbi-directional broadband communications using the Internet protocol(IP). The coaxial cable is typically aggregated with other cables into afiber-optic cable. The fiber-optic cable, in turn, is coupled to a cablemodem termination server (CMTS) at a headend. The CMTS contains hardwarefor terminating the IP data channel, including IP switches, routers, andhigh-availability servers.

The CMTS allows the client to access a private network containing awalled garden proxy server (WGPS) via the hypertext transport protocol(HTTP). The WGPS controls access to a walled garden of network-basedservices. The services available in the walled garden may include, forexample, access to electronic content, access to electronic commerceservices, and any other functionality that can be providedelectronically via a network. These services are provided by one or morewalled garden servers coupled to a walled garden network. The walledgarden servers may include servers directly coupled to the walled gardennetwork, servers having direct connections to remote applicationdatabases, servers coupled to the walled garden network via a virtualprivate network, and servers having only a frontend on the walled gardennetwork. Each site on a walled garden server is identified by a plotnumber.

A site held on a server within the walled garden may respond to a userby sending a message containing a JAVASCRIPT program to the client. Theprogram can invoke one or more of the functions in the APIs. The WGPStraps messages from the site and determines the ACL for the site. TheACL is preferably a bit-map that specifies which STB API functions maybe called by the site. The WGPS passes the ACL to the client as a headerto the message from the site. In addition, the WGPS examines the headerreceived from the site to protect against ACL masquerading or spoofingby the site.

The shell executing on the client extracts the ACL from the header whenit receives the message. The shell uses the bit-map to determine whichAPI functions can be invoked by the walled garden site. If theJAVASCRIPT program tries to invoke a function for which it lackspermission, the client halts execution of the program and sends amessage back to the site indicating that the invocation failed becausethe site lacks permission. Otherwise, the client allows the JAVASCRIPTprogram invoke the function and returns the result to the site. Thus,the walled garden site can use the APIs to provide services to the user.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a high-level view of a networkarchitecture according to a preferred embodiment of the presentinvention;

FIG. 2 is a high-level block diagram of a client according to anembodiment of the present invention;

FIG. 3 is a block diagram illustrating the various levels of softwareand hardware executing on the client illustrated in FIG. 2;

FIG. 4 is a high-level logical block diagram illustrating the client, aprivate network, the Internet, and other related entities;

FIG. 5 is a high-level block diagram of a computer system for performingas one of the servers illustrated in FIG. 4, such as the walled gardenproxy server (WGPS) and/or the gateway server (GS);

FIG. 6 is a flow diagram illustrating transactions among the client,WGPS, GS, and keymaster according to a preferred embodiment of thepresent invention;

FIG. 7 is a flow diagram illustrating transactions between the WGPS, GS,and keymaster that may occur independently of the transactions of FIG.6;

FIG. 8 illustrates the fields in a ticket according to an embodiment ofthe present invention; and

FIG. 9 is a flow diagram illustrating transactions among a walled gardensite, the WGPS, and the client according to a preferred embodiment ofthe present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 is a block diagram illustrating a high-level view of the networkarchitecture 100 according to a preferred embodiment of the presentinvention. A television (TV) 110 is coupled via a data link 111 to aclient 112, which is preferably a set top box (STB). The TV 110 can beany form of television, including a conventional analog TV or ahigh-definition (HD) digital TV. In addition, the TV 110 may be amonitor coupled to the client 112 directly. Alternatively, the client112 may be coupled to a computer system instead of a TV 110. The datalink 111 may be, for example, a serial link, a radio frequency (RF)link, a broadband link, a standard monitor cable, or an S-video link.The client 112 can also be integrated into the TV or computer system.

Typically, the client 112 is an STB and is purchased or leased by aperson or household who also subscribes to the cable TV and datacommunication services. The person or persons who performs this task isoften referred to as the “subscriber.” Because multiple people may use asingle client 112, the person using the client in this description isreferred to as a “user.” The STB 112 or other device that the user usesto access data communication services is generically referred to as a“client.” The distinction between actions performed by the user andclient are often blurred, especially when the client performs an action,such as fetching a web page, on behalf of a user. Accordingly, the terms“user” and “client” are often interchangeable in this description.

The client 112 preferably includes at least one tuner for tuning a TVsignal and a cable modem for receiving and transmitting data. Inaddition, the client 112 is preferably coupled to a coaxial cable 114carrying analog and/or digital TV signals and providing two-way datacommunication between the client 112 and the rest of the network usingthe Internet protocol (IP). In alternative embodiments, datacommunication between the client 112 and the rest of the network may beprovided by other forms of communication technologies, including analogmodem, digital subscriber line (DSL), and wireless technologies. Thesealternative technologies may or may not carry TV or other video signalswith the data.

In the embodiment where the client 112 is coupled to a coaxial cable,the coaxial cable 114 is aggregated with other cables at a node 116,typically from geographically proximate locations, into a fiber-opticcable 118. The fiber-optic cable 118, in turn, is aggregated with otherfiber-optic cables at a headend 120.

The headend 120 integrates signals from multiple sources into thefiber-optic cable 118. In one embodiment, the headend 120 receivesanalog 122A and digital 122B television signals via analog 124A anddigital 124B satellite downlinks, respectively. In addition, the headend120 includes a cable modem termination server (CMTS) 126 for terminatingthe IP data channel, including IP switches, routers, andhigh-availability servers.

The CMTS 126 is preferably coupled to a private network 128 maintainedby an Internet service provider (ISP) or other organization. In apreferred embodiment of the present invention, the private network 128includes the high-speed network architecture described in U.S. patentapplication Ser. No. 08/811,586, entitled SYSTEM AND METHOD FORDELIVERING HIGH-PERFORMANCE ONLINE MULTIMEDIA SERVICES, filed on Mar. 5,1997 by Milo S. Medin, which is hereby incorporated by reference herein.In general, the private network 128 provides network access to the usersby managing a cable modem contained within the client 112. A widelyaccepted standard for cable modems is the Multimedia Cable NetworkSystem (MCNS) Data-Over-Cable Service Interface Specifications (DOCSIS).The private network 128 also provides connectivity to servers providingservices to the clients, such as caching, account and billingmanagement, electronic commerce, information databases, and any otherfunctionality that can be achieved via a network. Typically, theresources on the private network 128 can be accessed by only subscribersof the ISP.

In the illustrated embodiment, the private network 128 is incommunication with the Internet 130 via a network link 132. For securitypurposes, a preferred embodiment of the present invention restricts theability of the client 112 to download software from the Internet 130.However, other embodiments may provide the client 112 with full accessto the Internet 130 or restrict the client to only the resourcesavailable in the private network 128.

FIG. 2 is a high-level block diagram of a client 112 according to anembodiment of the present invention. Preferably, the client 112 is anSTB and supports both broadcast services including video, audio, anddata, and IP-based services including e-mail, web browsing, IPmulticast, and streaming video and audio. In a preferred embodiment ofthe present invention, the client 112 is a GENERAL INSTRUMENTS DCT-5000,although any STB, computer system, or modem providing equivalentfunctionality can be substituted. The client 112 preferably includescomponents typically found in a computer system including a centralprocessing unit (CPU) 210. The CPU 210 can be any type of general orspecific purpose processor and processes instructions and data forproviding the functionality described herein. The CPU 210 is coupled viaa bus 212 to a random access memory (RAM) 214, a read only memory (ROM)216, and non-volatile memory 218, such as flash memory. The RAM 214 ispreferably synchronous dynamic RAM (SDRAM) and stores programs and dataused by the CPU 210 as is well known in the art. Similarly, the ROM 216and flash memory 218 store instructions and data used to maintain thesystem operation and configuration.

The bus 212 also couples the CPU 210 with a graphics and video subsystem220 which generates text and video images on the TV 110. In addition toproviding conventional TV images, the graphics and video subsystem 220preferably generates a user interface (UI) by which the user can accessthe features and services provided by the client 112. The graphics andvideo subsystem 220 may also support advanced features such as 3-Dgraphics, video decoding, and video digitizing.

TV and cable modem tuners 222, 224 are also preferably coupled to thebus 212. The TV tuner 222 is preferably a frequency-agile tunerdedicated to analog and digital broadcast services. The cable modemtuner 224 is preferably a frequency-agile tuner dedicated to cable modemservices. Although not shown in FIG. 2, the client 112 may also includeother tuners for handling an out-of-band data channel and a returnsignal path. The tuners 222, 224 receive the signal from the coaxialcable 114.

An infrared (IR) transceiver 226 is also preferably coupled to the bus212. The transceiver 226 can communicate with a wireless remote controlor keyboard, thereby allowing a user to access the features of theclient 112 either directly or via on-screen menus. The client 112 alsopreferably includes a secure microprocessor 228 for supporting securetransactions as described below. The secure microprocessor 228 holds aunique identification value for the client 112 called the “Box ID,” aprivate/public key pair, and other information that can be used toauthorize and authenticate messages to and from the client 112. Inalternative embodiments, the client 112 may also include an audioaccelerator for performing audio processing, an input/output (I/O)controller for communicating with external devices such as storagedevices and hard copy output devices, and/or a network adapter forcommunicating with a local-area network.

FIG. 3 is a block diagram illustrating the various levels of clientsoftware program modules and hardware executing on the client 112illustrated in FIG. 2. At the lowest level is the hardware 310 forexecuting the software and performing the basic functions supported bythe client 112. Device drivers 312 for the various hardware elements sitbetween the operating system (OS) 314 and the hardware 310. In oneembodiment, the OS 314 is a version of the WINDOWS CE operating systemfrom MICROSOFT CORPORATION of Redmond, Wash. However, other OS's mayalso be used. The OS 314 controls the operation of the client 112 andmakes the features of the client available to other programs executingon the client 112. The OS 314 uses the device drivers 312 to communicatewith the hardware 310. In addition, a TV application program interface(API) 316 also sits between the OS 314 and the hardware 310. The OS 313uses the TV API 316 to access dedicated TV functionality within thehardware 310.

A JAVA virtual machine (JVM) 318 and hypertext markup language (HTML)rendering engine 320 preferably execute on the OS 314. The JVM 318functions as a virtual machine and provides an execution space for JAVAprograms 322. The JAVA programs 322 may be stored locally on the client112 or downloaded from the private network 128 or the Internet 130. Inaddition, the JAVA programs 322 may utilize JAVA classes dedicated tosupporting the TV and media functions available on the client 112.Similarly, the HTML rendering engine 320 supports traditional webbrowsing functionality. A user can use the web browser controls 324 tonavigate through hypertext documents as is well known in the art.

In a preferred embodiment of the present invention, a shell program 326executes at the highest level. The shell program 326 may be implementedusing, for example, native code, JAVA, JAVSCRIPT, ActiveX controls,HTML, and/or dynamic link libraries (DLLs). The shell program 326 is thecontrolling application and provides the user interface (UI) on the TV110 and application support for channel navigation, an electronicprogram guide, storing user preferences, email, and walled garden 420access.

Preferably, the shell program 326 contains a set of foundation layerAPIs 328 that can be called by programs downloaded via the privatenetwork 128. In one embodiment, the functions in the APIs are accessedby JAVASCRIPT code downloaded to the client 112 via HTTP. All functionsavailable through the APIs are subject to access control and a programmaking use of the APIs must be authorized to access the functions. If aprogram calls a function for which it is not authorized, the client 112returns a FAIL_FUNCTION_NOT_AUTHORIZED error status message to theprogram. This status message indicates to the program that the serverthat supplied the program is not authorized to perform that function onthe client 112.

Exemplary sets of APIs are described in the Appendix. As describedtherein, the APIs allow a program to change the television channel towhich the client 112 is tuned, inquire about the details of a channelline-up, access an electronic program guide (EPG) stored by the client,instantiate UI elements on the television 110, retrieve informationabout viewer (i.e., user) accounts, access electronic wallet (E-wallet)functionality in the client to conduct electronic commerce transactions,set reminders for display on the television 110, and print pages on aprinter (not shown) coupled to the client. Additional APIs may allowcontrolling scaling of the broadcast video picture on the television 110and accessing settings stored by the client 112, including userpreferences, bookmarks, parental controls, and diagnostics. Other APIscan easily be added to the shell 326 to provide functionality desired bythe ISP, server, or users. Preferably, each function in the APIs isnamed, numbered, or otherwise uniquely identified. Likewise, groups offunctions, related or otherwise, may also be named, numbered, orotherwise identified.

FIG. 4 is a high-level logical block diagram illustrating the client112, the private network 128, the Internet 130, and other relatedentities. As shown in FIG. 4, the CMTS 126 is preferably coupled to aproxy server 410. The proxy server 410 provides caching of web pages andother data for the clients served by the CMTS 126. The proxy server 410is connected to a network backbone 412. A walled garden proxy server(WGPS) 414, gateway server (GS) 416, and WWW Internet proxy server 418(Internet server) are also coupled to the network backbone 412.

Preferably, the client 112 communicates with the servers on the network412 using standard communications protocols including the IP, hypertexttransport protocol (HTTP), and secure sockets layer (SSL).Communications between the client 112 and the various servers oftentakes the form of hypertext markup language (HTML) documents, extensiblemarkup language (XML) documents, JAVASCRIPT programs, and data providedthrough forms. Servers and data on the network 412 are preferablyidentified with uniform resource locators (URLs).

Each user of the client 112 preferably has a unique identification. Auser can log into the client 112 by inputting the user's identity and apersonal identification number (PIN) or other form of password. Thisuser information is preferably stored in a local database held in, forexample, the non-volatile memory 218 or a storage device. The databasehas a record for each user of the client 112 and associates the recordwith the user's login information. The client 112 can provide the user'slogin information to other servers in the network 128 when necessary toauthenticate the user. For security, the user records stored in theclient 112 are opaque and cannot be viewed without the login informationof the particular user. When a user logs into the client 112, the loginpreferably remains valid until the user explicitly logs out or theclient 112 is turned off. If no user has logged into the client 112, oneembodiment of the present invention uses a default user profile. Therights and privileges of the default user profile can be set by the ISP.

The WGPS 414 is the entry point for the walled garden 420. Although FIG.4 illustrates only a single walled garden 420, an embodiment of thepresent invention can have multiple walled gardens controlled by asingle WGPS or by multiple WGPS′. Each walled garden may be controlledby a different multiple systems operator (MSO) (e.g., a different cabletelevision company).

The illustrated walled garden 420 includes one or more servers which, inturn, hold one or more sites for providing network-based services to theusers. The services may include, for example, access to electroniccontent such as channel guides, magazines, newspapers, stock prices,music, or video, access to electronic commerce services such as stocktrading and buying and selling goods, access to a time-based or meteredservice, and any other functionality that can be provided electronicallyvia a network. Preferably, the services are implemented using acombination of JAVA, XML, HTML, and/or JAVASCRIPT. The servers may bemaintained by the MSO, ISP, or by other organizations who have formedbusiness relationships with the party managing the walled garden 420. Inone embodiment, the services in the walled garden 420 are arranged intosets of tiers. Preferably, the user can subscribe to one or more of theservices in the walled garden 420 either individually or as part of atier.

The WGPS 414 has an associated database 415 for holding permissionsavailable to the user and the walled garden sites. To access the walledgarden 420, the client must present a “ticket” to the WGPS 414specifying the walled garden 420 and services to which the user hasaccess. Alternatively, the ticket may specify only those services whichthe user does not have access. The database 415 identifies “poisoned”tickets, i.e., those tickets that are no longer accepted and holds keysfor decrypting encrypted tickets. The database also holds informationidentifying the MSO or MSOs who's customers have access to the walledgarden 420 in order to ensure that the ticket is affiliated with theparticular walled garden. The WGPS 414 uses the ticket and theinformation in the database 415 to authenticate the user and authorizethe user to access the services in the walled garden 420.

The database 415 also identifies the rights of walled garden sites toaccess the APIs in the clients 112. Preferably, the database 415 storesa Walled Garden Permissions Table that specifies the API access rightsof each server or site in the walled garden. In one embodiment of thepresent invention, the permissions table is as follows:

Walled Garden Permissions Table RL Prefix User Agent WG ACL Affiliationhttp:// . . . DCT-5000 010111 0110 http:// . . . DCT-5000 010101 0100http:// . . . DCT-5000 011101 0001 . . . . . . . . . . . . http:// . . .DCT-5000 110101 1000

The permissions table is preferably indexed by URL prefix. The URLPrefix field preferably holds a URL string long enough to uniquelyidentify the walled garden site having the associated permissions. Forexample, the URLs “http://disney.com/company/index.html” and“http://disney.com/company/about/index.html” will both match a tableentry with the URL prefix “http://disney.com/company/.” This techniqueallows different permissions to be assigned to different subtrees of asite's content.

The User Agent field preferably holds a string identifying the type ofbrowser used by the user. For example, the User Agent field may indicatethat the user is using a DCT-5000 STB. Alternatively, the field mayindicate that the user is using NETSCAPE NAVIGATOR, MICROSOFT INTERNETEXPLORER, or any other type of browser. Since different user agents mayhave different API sets and capabilities, sites in the walled garden mayhave separate permissions table entries for each type of user agent. Theclient 112 identifies the user agent when it sends a HTTP request to theWGPS 414.

The Walled Garden Access Control List (WG ACL) field preferably containsa bit-map, or ACL, indicating to which client APIs the walled gardensites having the given URL prefix can access. The mapping from bitposition to API function is arbitrary and extensible. A value of zeropreferably means the site does not have permission to invoke thecorresponding API function or functions, and a value of one preferablymeans the site does have permission to invoke the corresponding APIfunction or functions. The Affiliation field identifies the particularwalled garden 420 or MSO to which the ACL pertains.

The exemplary walled garden 420 illustrated in FIG. 4 contains twowalled garden application servers (WGAS's) 422A-B, a walled garden frontend server (WGFS) 424, and a walled garden virtual private network (VPN)termination point 426 (WGVPNTP) interconnected by a walled gardennetwork (WGN) 428. The WGN 428 is preferably a closed network andessentially performs as a local area network coupling the various typesof walled garden servers with the WGPS 414. A WGAS 422 is preferably aweb server or some other form of server that provides web-likefunctionality to a user. A WGAS 422A may contain all of the hardware andstorage necessary to provide a service to a user. Alternatively, theWGAS 422B may be coupled to a remote application database 430 via adedicated network connection 432. This latter embodiment may bepreferred, for example, when the WGAS 422B acts as an interface to alarge database of information and the entity managing the WGAS 422B doesnot wish to replicate the contents of the database within the walledgarden 420.

The WGFS 424 provides a frontend interface for backend servers locatedelsewhere on the Internet 130 or otherwise in communication with WGFS424. For example, a WGFS 424 may be used when a large organizationwishing to have a presence in the walled garden 420 leases server spacefrom the ISP or other entity managing the walled garden. The WGFS 424provides an access point in the walled garden 420 through which theclients can access the backend servers.

The WGVPNTP 426 allows an organization to maintain a presence in thewalled garden 420 using remote servers. The ISP or other entity managingthe walled garden 420 establishes a VPN 434 over the Internet 130connecting the WGVPNTP 426 with a remote WGAS 436. The remote WGAS 436communicates through the WGVPNTP 426 to perform the same functions as alocal WGAS 422.

Each unique service within the walled garden 420 is preferablyidentified by a unique “plot number.” The client 112 preferablyidentifies a specific walled garden service with the URL“http://wg/<plot_number>/ . . . ” The plot number is preferably used asan index into the ticket and identifies a value specifying whether theuser has access to the service. A walled garden service is typicallyimplemented on a single server. However, a single server can supportmultiple walled garden services. Accordingly, a server may be identifiedby more than one plot number, with each plot number mapping to adifferent site residing on the server. A single service can also resideon multiple servers, such as when load balancing is being employed. Inthis case, a single plot number may resolve to more than one server.

The GS 416 controls access to a policy server (PS) 438. The GS 416preferably receives communications from the client 112 in the form ofXML and/or forms via HTTP over SSL and translates the communicationsinto database transactions using protocols such as lightweight directoryaccess protocol (LDAP), SQL, and open database connectivity (ODBC). TheGS 416 passes the transactions to the PS 438 and the PS 438 accesses adatabase 440 of user authorization and authentication information inresponse. The database contains a list of users, walled gardens, andservices in particular walled gardens 420 available to the users. Thedatabase 440 does not need to be centralized and, in one embodiment, isdistributed on a regional basis. The GS 416 communicates with the PS 438to authenticate a user's identity and issue the client a ticketspecifying the walled gardens and services that the user can access. TheGS 416 preferably encrypts the ticket using a secret key shared with theWGPS 424 in order to limit potential attacks on the ticket by the user.The user's client 112 stores the ticket and presents it to the WGPS 414when seeking to access a walled garden 420.

The Internet server 418 is essentially the same as the WGPS 414, exceptthat the Internet server 418 controls access to the Internet 130 atlarge rather than to the walled garden 420. In a preferred embodiment,the Internet server 418 has a database 444 for holding permissionsindicating web sites that users can access and client API functions thatthe web sites can access. A client accesses the Internet 130 bypresenting a ticket to the Internet server 418 specifying the Internetsites to which the user has access. In one embodiment, the ticketspecifies the URLs using regular expression pattern matching. Thedatabase 444 also identifies poisoned tickets.

The keymaster 442 provides encryption keys to the GS 416, WGPS 414, andInternet Server 418. Preferably, the keymaster 442 has SSL links, orsome other form of secure communication links, to the servers 414, 416,418. The keymaster 442 generates pseudo-random encryption keys andsecurely passes the keys to the servers 414, 416, 418. The servers 414,416, 418 use the keys to encrypt and decrypt the tickets. In a preferredembodiment, the servers 414, 416, 418 use symmetric encryption and usethe same key to encrypt and decrypt tickets, although other encryptionsystems can be used. Each key is valid for a predetermined time period.The keymaster 442 issues a new key to the servers 414, 416, 418 at theexpiration of the previous key. Each key is preferably indexed so thatthe keys can be individually identified.

The entities illustrated in FIG. 4 are not necessarily physicallyseparate or executing on dedicated computer systems. For example, thewalled garden network and the network connecting the various servers mayactually be a single network that is logically divided into separatenetworks. Moreover, the various servers, such as the WGPS 414, GS 416,and PS 438, may actually be integrated into the proxy server 410 oranother computer system. Likewise, the various databases 415, 440 may beimplemented on a single database. Conversely, the functionality ascribedto a single network, server, or database in the description of FIG. 4may actually be performed by multiple networks, servers, and/ordatabases, respectively. Thus, FIG. 4 illustrates logical entities andlogical interconnections between the entities according to a preferredembodiment of the present invention. However, alternative embodiments ofthe present invention may have different physical structures.

FIG. 5 is a high-level block diagram of a computer system 500 forperforming as one or more of the servers, such as the WGPS 414 and/orthe PS 428, illustrated in FIG. 4. Illustrated are at least oneprocessor 502 coupled to a bus 504. Also coupled to the bus 504 are amemory 506, a storage device 508, a keyboard 510, a graphics adapter512, a pointing device 514, and a network adapter 516. A display 518 iscoupled to the graphics adapter 512.

The at least one processor 502 may be any general-purpose processor suchas an INTEL x86 compatible- or SUN MICROSYSTEMS SPARC compatible-centralprocessing unit (CPU). The storage device 508 may be any device capableof holding large amounts of data, like a hard drive, compact diskread-only memory (CD-ROM), DVD, or some form of removable storagedevice. The memory 506 holds instructions and data used by the processor502. The pointing device 514 may be a mouse, track ball, light pen,touch-sensitive display, or other type of pointing device and is used incombination with the keyboard 510 to input data into the computer system500. The graphics adapter 512 displays images and other information onthe display 518. The network adapter 516 couples the computer system 500to a local or wide area network.

Program modules 520 for performing the functionality of the server,according to one embodiment of the present invention, are stored on thestorage device 508, loaded into the memory 506, and executed by theprocessor 502. Alternatively, hardware or software modules may be storedelsewhere within the computer system 500. In one embodiment of thepresent invention, one or more of the illustrated servers areimplemented using redundant hardware to create a high-availabilitycomputer system. As is known in the art, an advantage of ahigh-availability computer system is a reduced risk of system failure.

FIG. 6 is a flow diagram illustrating transactions among the client 112,WGPS 414, GS 416, and keymaster 442 according to a preferred embodimentof the present invention. The illustrated transaction sequencerepresents only one of many possible sequences of transactions. In FIG.6, a horizontal arrow represents a transaction where the primary flow ofinformation is in the direction of the arrow. The slash across thetransaction illustrates the protocol used to transmit the data,typically either HTTP or the SSL. In addition, FIG. 7 is a flow diagramillustrating transactions between the WGPS 414, GS 416, and keymaster442 that may occur independently of the transactions of FIG. 6.

Initially, the user uses the UI on the client 112 to request 610 accessto a service in the walled garden 420. For example, the client 112 maygenerate a UI on the TV 110. The user, using the UI and an input devicesuch as an IR keyboard, requests access to the service through the webbrowsing software 324 executing on the client 112. Alternatively, theclient 112 may be coupled to or integrated into a computer system andthe user may use web browsing software to request access to a web sitein the walled garden 420. As mentioned above, the request 610 from theclient 112 to the WGPS 414 preferably takes the form of a URL such as“http://wg/<plot_number>/ . . . ” In one embodiment, the user visits aweb page or portal that references, either directly or indirectly, allof the available walled garden services. When the user selects a link toa particular service, the web page directs the client 112 to the properURL.

The WGPS 414 receives the request 610 and determines from the URL thatthe client is attempting to access a restricted service in the walledgarden 420. Assume, however, that this request 610 is the first requestfrom the client 112 to the WGPS 414. As a result, the client 112 did notinclude a ticket with the request 610. Therefore, the WGPS 414 denies611 access to the walled garden 420 and sends a HTTP 407 response tochallenge 612 the client 112 to supply the ticket in a subsequentrequest.

The client 112 receives the challenge 612. Preferably, the web browserthen passes control to an authorization dynamic link library (DLL)executing on the client 112. The authorization DLL creates theappropriate UI to let the user authenticate himself or herself to theclient 112.

The authorization DLL then establishes a SSL connection with the GS 416and makes a request 616 for the ticket by sending the userauthentication information, as well as the Box ID of the client 112,across the SSL connection. The GS 416 authenticates the user byvalidating 618 the authentication information against the information inthe database 440.

If the validation 618 is successful, the GS 416 preferably constructs620 the ticket. As shown in FIG. 8, the ticket 800 preferably includesthe Box ID 810 of the client 112 requesting the ticket, a version number812, an expiration date 814 (or duration when the ticket is valid), anaffiliation 815, and a set of bits representing the access rights of theuser 816. The version number 812 is preferably a control number used bythe GS 416 to ensure that the WGPS 414 properly interprets the ticket800. The expiration date 814 can be any time in the future or a timespan when the ticket 800 is valid and may range, for example, from a fewminutes to a few hours. The affiliation indicates the particular walledgarden 420 or MSO to which the ticket 800 pertains. The set of bitsrepresenting the access rights of the user 816 are preferably organizedsuch that certain bits correspond to certain servers, sites, or serviceswithin the walled garden 420. In one embodiment of the presentinvention, the bits representing the access rights 816 are run lengthencoded (RLE) to reduce the storage size of the field. Otherinformation, such as the IP address of the client 112 and a timestampmay also be stored in the ticket 800.

As shown in FIG. 7, the keymaster 442 occasionally shares 710 a secretkey with the GS 416 and the WGPS 414 via an SSL connection. Returning toFIG. 6, the GS 416 preferably uses a symmetric encryption technique toencrypt 622 the ticket 800, T, with the shared secret key to produce anencrypted ticket, T′. In an alternative embodiment, the GS 416 encryptsonly the portion of the ticket containing the bits representing the useraccess rights 816. The WGPS 414 uses the decryption key, which ispreferably identical to the encryption key, to decrypt the ticket 800.In one embodiment of the present invention, this encryption is performedusing the data encryption standard (DES). However, other embodiments ofthe present invention may use different encryption techniques, includingtechniques where the encryption and decryption keys differ.

The resulting encrypted ticket is passed 624 to the client 112. Theclient 112 preferably stores the encrypted ticket internally. Since theclient 112 does not have access to the secret key shared by thekeymaster 442, GS 416, and WGPS 414, the client cannot decrypt or alterthe ticket.

If, for any reason, the GS 416 decides to invalidate or revoke a ticket,the GS 416 poisons the ticket by sending 712 an invalidity notice to theWGPS 414 as shown in FIG. 7. The WGPS 414 treats a request to access thewalled garden 420 made by a client with a poisoned ticket as if noticket had been included.

Returning to FIG. 6, the client 112 again sends a HTTP request to theWGPS 414 requesting access to a service in the walled garden 420. Thistime, however, the client 112 includes the encrypted ticket with theHTTP request in an “Authorization” header. The WGPS 414 receives theticket with the request and determines 628 whether the ticket grants theuser access to the walled garden 420 and walled garden service. To makethis determination, the WGPS 414 uses the timestamp to determine thesecret key used to encrypt the ticket. Then, the WGPS 414 uses thesecret key to decrypt the ticket. Next, the WGPS 414 compares the Box IDin the ticket with the Box ID of the requesting client to ensure thatthe ticket was received from the correct client 112. The WGPS 414 alsochecks the expiration date in the ticket to ensure that the ticket isstill valid and compares the ticket with the information in its database415 to ensure that the ticket has not been poisoned.

If the above tests are satisfied, then the WGPS 414 examines theaffiliation 815 and the set of bits representing the access rights ofthe user 816 to determine whether the user has rights to the specifiedwalled garden 420 service. To make the latter determination, the WGPS414 extracts the plot number from the HTTP request and uses it as anindex into the set of bits 816 in the ticket 800. Preferably, the valueof the indexed bit specifies whether the user is authorized to accessthe walled garden 420 service or site having the given plot number. Thisembodiment is preferred because it minimizes the overhead utilized todetermine whether the ticket allows access. Of course, alternativeembodiments of the present invention may use different techniques toencode the user access rights in the ticket.

The WGPS 414 then either grants or denies 630 access to the user. If theWGPS 414 grants access, then it allows the user request 626 to reach thewalled garden 420 service having the specified plot number. Accordingly,the specified URL from the walled garden server will be served to theclient 112. In this case, the client 112 downloads and executes theJAVA, HTML, XML, and/or JAVASCRIPT code providing the service asdescribed below. Preferably, the downloaded code is not persistentlystored in the client 112. If the WGPS 414 denies access, then it sends aHTTP status 407 response to the client 112 with an HTTP headerindicating the reason for denying access. Typically, the client 112 willrespond to this denial by requesting 616 a new ticket from the PS 438.

FIG. 9 is a flow diagram illustrating transactions among a Walled GardenServer (WGS) 910, the WGPS 414, and the client 112 according to apreferred embodiment of the present invention when the WGS responses toan client request for a service. The WGS 910, which may be any of theserver types described above, sends 912 a message to the client 112 viaHTTP. The message contains code in JAVASCRIPT invoking one or more ofthe functions in the APIs implemented in the shell 326 of the client112. Other embodiments of the present invention may use languages otherthan JAVASCRIPT or other invocation methods, such as MACROMEDIA FLASH,to call API functions.

The message from the WGS 910 to the client 112 necessarily passesthrough the WGPS 414. Preferably, a proxy plug-in on the WGPS 414 trapsall messages from WGS′ to clients in order to attach an ACL to eachmessage. When the WGPS 414 traps a message, it examines 914 the headerprovided by the WGS 910 for any potential security violations. Forexample, the WGPS 414 strips any improper headers off the message toprotect against masquerading or spoofing by the WGS 910. Then, the WGPS414 looks up 916 the corresponding entry in the Walled GardenPermissions Table stored in the database 415 and retrieves the ACL forthe given service, affiliation, and user agent. The WGPS 414 inserts 918the ACL into the message from the WGS 910 to the client 112 as an HTTPheader. In one embodiment of the present invention, the ACL is insertedinto a “athmAPIAuth” header, although other headers or transportmechanisms can be used as well.

In addition, the WGPS 414 can place information in the header thatfurther limits the permissions contained in the ACL. For example, theWGPS 414 can restrict the WGS 910 to accessing channel guide data forthe current time only, for the next hour, for the next day or week, etc.Similarly, the WGPS 414 can restrict the WGS 910 to accessing channelguide data for only a certain channel or network. The WGPS 414preferably implements these additional limitations by placing additionalfields in the HTTP header. After the headers are inserted, the WGPS 414passes 920 the message to the client 112.

The shell 326 executing on the client 112 extracts the ACL,affiliations, and any other permissions from the headers and determines922 whether the data grant the WGS 910 access to the API functionscalled by the attendant code. The shell 326 codifies the mapping frombit positions in the ACL to API functions and enforces the accesscontrol. If the ACL does not allow a called API function to be executed,then the shell 326 preferably returns 924 theFAIL_FUNCTION_NOT_AUTHORIZED message to the application or program thatinvoked the API function. Otherwise, the shell 326 returns 924 theresult of the function invocation.

In summary, the present invention is an authentication and authorizationmethod and system that lets individual users access one or more of theservices within the walled garden 420. The client 112 authenticationprocedure allows individual users to be authenticated. In addition, theGS 416, PS 438, and associated database 440 can authorize a unique setof access rights for each user. The WGPS 414 ensures that onlyauthenticated and authorized users are allowed to access servers withinthe walled garden 420. Moreover, the design of the system, including theticket and shared secret key, provides an efficient implementation,thereby keeping a relatively light processing load on the GS 416 and PS438.

In addition, the present invention enhances the services provided by thewalled garden 420 by allowing WGS′ to access the APIs of the clients.The Walled Garden Permissions table stored in the database 415 of theWGPS 414 allows the access rights of a WGS to be controlled with a finedegree of granularity with respect to functions, time, andchannels/networks.

By using the method and system described herein, a service provider orother entity can sell subscriptions or other forms of access rights toone or more services within the walled garden 420. For example, an ISPcan sell subscriptions to tiers of services, much like subscriptions totiers of television channels are sold. In addition, the ISP can sell theright to access the client 112 APIs to the operators of the WGS′.

APPENDIX Channel Navigation Channel Up Syntax [Status]=TV.ChannelUp( )Parameters Status

-   -   The return status value from the ChannelUp method. The return        status value will be one of the following:        -   SUCCESS—The tune completed successfully        -   FAIL_INVALID_CHANNEL—The tune failed because of an invalid            channel number        -   FAIL_PARENTAL_CONTROL—The tune failed because of parental            control and a valid Parental Control PIN was not entered        -   FAIL_CHANNEL NOT_AUTHORIZED—The tune failed because the            channel was not authorized by the CA system        -   FAIL_FUNCTION_NOT_AUTHORIZED—The tune failed because the            function_invocation was not authorized by the CA system        -   FAIL_NOT_PURCHASED—The tune failed because the channel            carried an IPPV event and it was not purchased

Channel Down Syntax [Staus]=TV.ChannelDown( ) Parameters Status

-   -   The return status value will be one of the following:        -   SUCCESS—The tune completed successfully        -   FAIL_INVALID_CHANNEL—The tune failed because of an invalid            channel number        -   FAIL_PARENTAL_CONTROL—The tune failed because of parental            control and a valid Parental Control PIN was not entered        -   FAIL_CHANNEL NOT_AUTHORIZED—The tune failed because the            channel was not authorized by the CA system        -   FAIL_FUNCTION_NOT_AUTHORIZED—The tune failed because the            function_invocation was not authorized by the CA system        -   FAIL_NOT_PURCHASED—The tune failed because the channel            carried an IPPV event and it was not purchased

Direct Channel Specification Syntax [Status]=TV.TuneChannel(Channel)Parameters Channel

-   -   A numeric value that specifies the channel number.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The tune completed successfully        -   FAIL_INVALID_CHANNEL—The tune failed because of an invalid            channel number        -   FAIL_PARENTAL_CONTROL—The tune failed because of parental            control and a valid Parental Control PIN was not entered        -   FAIL_CHANNEL_NOT_AUTHORIZED—The tune failed because the            channel was not authorized by the CA system        -   FAIL_FUNCTION_NOT_AUTHORIZED—The tune failed because the            function invocation was not authorized by the CA system        -   FAIL_NOT_PURCHASED—The tune failed because the channel            carried an IPPV event and it was not purchased

Remark

The TuneChannel method tunes to the specified channel number.

Get Current Channel Syntax [Status]=TV.GetCurrentChannel(Channel)Parameters Channel

-   -   A numeric value that returns the current channel number.

Status

-   -   The return status value from the TuneChannel method. The return        status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_INVALID_CHANNEL—The tune failed because of an invalid            channel number

Channel Map Access

Channel map access allows applications to inquiry about the details ofthe channel line-up (aka channel map) currently available in theset-top. Access to the service information, i.e. station call lettersand network identifiers are available through the channel map access.

Syntax [Status]=ChannelMap.ChannelToNetwork (Channel, Network, Station)Parameters Channel

-   -   A numeric value that specifies the channel number.

Network

-   -   A string value that returns the broadcast network name.

Station

-   -   A string value that returns the local station name.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_INVALID_CHANNEL—The function failed because of an            invalid channel number        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system

Syntax [Status]=ChannelMap.NetworkToChannel (Network, Channel, Station)Parameters Network

-   -   A string value that specifies the broadcast network name.

Channel

-   -   A numeric value that returns the channel number.

Station

-   -   A string value that returns the local station name.

Status

-   -   The return status value from the NetworkToChannel method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_INVALID_CHANNEL—The function failed because of an            invalid channel number        -   FAIL_FUNCTION NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system

Remark

The NetworkToChannel method returns the channel number and station namefor the specified network name. If there are more than one channel thatcarries the specified network name, only the first channel map entry isreturned.

Syntax [Status]=ChannelMap.ChannelRange (MinChannel, MaxChannel)Parameters MinChannel

-   -   A numeric value that returns the minimum channel number.

MaxChannel

-   -   A numeric value that returns the maximum channel number.

Status

-   -   The return status value from the ChannelRange method. The return        status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system

Remark

The ChannelRange method returns the minimum and maximum channel numberssupported by the channel map provided by the cable system.

EPG Data Access

EPG Data Access allows applications to inquiry details of the programguide data. The EPG Data Access is controlled by the followingattributes:

-   -   Access to schedule information (program name, start time, end        time, and rating)    -   Access to editorial information (program description, etc.)    -   Access to PPV information (pricing, etc.)    -   Dividing up schedule information (current time, next hour, next        day, etc.)    -   Control access on a source by source basis (only access guide        data for a particular network)

Schedule Information Syntax [Status]=EPG.GetScheduleInfo (Channel,Relative Time, ProgramName, StartTime, EndTime, Rating) ParametersChannel

-   -   A numeric value that specifies the channel number for which        schedule information is requested

Relative Time

-   -   A numeric value that specifies the relative time in minutes from        the current time for which schedule information is requested

ProgramName

-   -   A string value that returns the program name of the program that        occurs on the specified channel at the specified relative time.

StartTime

-   -   A numeric value that returns the start time of the program that        occurs on the specified channel at the specified relative time.

EndTime

-   -   A numeric value that returns the end time of the program that        occurs on the specified channel at the specified relative time.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_TIME_NOT_AUTHORIZED—The function failed because access            to schedule information at the specified relative time was            not authorized by the CA system        -   FAIL_CHANNEL_NOT_AUTHORIZED—The function failed because            access to schedule information on the specified channel was            not authorized by the CA system

Remark

The GetScheduleInfo method returns the program name, start time, endtime, and rating of the program that is on the specified channel at thespecified relative time.

Program Information Syntax [Status]=EPG.GetProgramInfo (Channel,Relative Time, ProgramDescription) Parameters Channel

-   -   A numeric value that specifies the channel number for which        schedule information is requested

Relative Time

-   -   A numeric value that specifies the relative time in minutes from        the current time for which schedule information is requested

ProgramDescription

-   -   A string value that returns the detailed program description of        the program that occurs on the specified channel at the        specified relative time.

Status

-   -   The return status value from the GetProgramInfo method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_TIME_NOT_AUTHORIZED—The function failed because access            to schedule information at the specified relative time was            not authorized by the CA system        -   FAIL_CHANNEL_NOT_AUTHORIZED—The function failed because            access to schedule information on the specified channel was            not authorized by the CA system

Remark

The GetProgramInfo method returns the detailed program description ofthe program that is on the specified channel at the specified relativetime.

Pay-Per-View Information Syntax [Status]=EPG.GetPPVInfo (Channel,RelativeTime, ISPPV, Price) Parameters Channel

-   -   A numeric value that specifies the channel number for which        schedule information is requested

Relative Time

-   -   A numeric value that specifies the relative time in minutes from        the current time for which schedule information is requested

IsPPV

-   -   A boolean value that indicates if specified program that occurs        on the specified channel at the specified relative time is a PPV        event. A value of TRUE indicates that it is a PPV event, a value        of FALSE indicates that it is not a PPV event.

Price

-   -   A string value that returns the price of the PPV event that        occurs on the specified channel at the specified relative time.        A value of NULL is returned if the specified program is not a        PPV event.

Status

-   -   The return status value from the GetScheduleInfo method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_TIME_NOT_AUTHORIZED—The function failed because access            to schedule information at the specified relative time was            not authorized by the CA system        -   FAIL_CHANNEL_NOT_AUTHORIZED—The function failed because            access to schedule information on the specified channel was            not authorized by the CA system

Remark

The GetPPVInfo method returns the PPV status and price of the programthat is on the specified channel at the specified relative time.

Instantiation Of Standard UI Elements The Channel Banner Syntax[Status]=UI.DisplayChannelBanner( ) Parameters Status

The return status value will be one of the following:

-   -   SUCCESS—The function completed successfully    -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the        function invocation was not authorized by the CA system

Remark

The DisplayChannelBanner method causes the NavShell Foundation todisplay the NavShell channel banner as an overlay. The channel bannerwill automatically be taken down after its time-out period has beenreached.

The Extras Menu Syntax [Status]=UI.DisplayExtrasMenu (NumberOfEntries,MenuEntries, EntrySelected) Parameters NumberOfEntries

-   -   A numeric value that specifies the number of menu entries        contained in the MenuEntries array

MenuEntries

-   -   An array of string values that specify the text for each of menu        entries to be displayed in the Extras Menu

EntrySelected

-   -   A numeric value that returns the index of menu entry selected by        the viewer from the MenuEntries array

Status

-   -   The return status value from the DisplayExtrasMenu method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_VIEWER_EXIT—The function failed because the viewer            pressed the EXIT key        -   FAIL_DIALOG_TIMEOUT—The function failed because the time-out            period for the viewer identification dialog box expires            before the viewer makes a selection

Remark

-   -   The DisplayExtrasMenu method causes the NavShell Foundation to        display the NavShell extras menu as an overlay. The viewer may        then select among the entries specified by the MenuEntries        array. When the viewer selects one of the menu entries, the        corresponding index is returned. The extras menu will        automatically be taken down after its time-out period has been        reached.

Viewer Accounts Number of Viewer Accounts Syntax[Status]=GetNumberOfViewers (NumberOfViewers) Parameters NumberOfViewers

-   -   A numeric value that returns the number of viewer accounts that        have been defined for the household.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system

Remark

The GetNumberOfViewers method returns the number of viewer accountsdefined for the set-top household. A return value of one indicates thatonly the Default_Viewer is defined for the household.

Viewer Names Syntax [Status]=GetViewerName (ViewerNumber, ViewerName)Parameters ViewerNumber

-   -   A numeric value that specifies which viewer name is being        requested. This value must be in the range 1 to the value        returned by GetNumberOfViewers inclusive.

ViewerName

-   -   A string value that returns the name for the specified viewer.

Status

-   -   The return status value from the GetViewerName method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INDEX_NOT_VALID—The function failed because specified            ViewerNumber was outside the valid range

Remark

The GetViewerName method returns the viewer name for the specifiedviewer.

Viewer Privileges Syntax [Status]=GetViewerPrivileges (ViewerNumber,TVAccess, WebAccess, IPPVEnabled, EmailEnabled, WalletEnabled)Parameters ViewerNumber

-   -   A numeric value that specifies which viewer name is being        requested. This value must be in the range 1 to the value        returned by GetNumberOfViewers inclusive.

TVAccess

-   -   A boolean value that returns whether the specified viewer's TV        viewing access is restricted

WebAccess

-   -   A boolean value that returns whether the specified viewer's Web        browsing access is restricted

Status

-   -   The return status value from the GetViewerPrivileges method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INDEX_NOT_VALID—The function failed because specified            ViewerNumber was outside the valid range

Remark

The GetViewerPrivileges method returns the viewer privileges for thespecified viewer.

Viewer Parental Controls Syntax [Status]=GetViewerParentalControls(ViewerNumber, TVRating, MovieRating, WebAccess, EmailAccess) ParametersViewerNumber

-   -   A numeric value that specifies which viewer name is being        requested. This value must be in the range 1 to the value        returned by GetNumberOfViewers inclusive.

TVRating

-   -   A string value that returns the specified viewer's TV rating        parental control setting

MovieRating

-   -   A string value that returns the specified viewer's MPAA rating        parental control setting

Status

-   -   The return status value from the GetViewerParentalControls        method. The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INDEX_NOT_VALID—The function failed because specified            ViewerNumber was outside the valid range

Remark

The GetViewerParentalControls method returns the viewer parental controlsettings for the specified viewer.

Viewer Identification Syntax [Status]=ViewerIdentification (Message,Viewer) Parameters Message

-   -   A string value that specifies the message text displayed in the        viewer identification dialog box.

Viewer

-   -   A string value that returns the viewer name entered by the        viewer. The viewer name will be one of the viewer accounts        associated with the household.

Status

-   -   The return status value from the ViewerIdentification method.        The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INVALID_PIN—The function failed because the viewer            entered an invalid PIN for the selected viewer        -   FAIL_VIEWER_EXIT—The function failed because the viewer            pressed the EXIT key        -   FAIL_DIALOG_TIMEOUT—The function failed because the time-out            period for the viewer identification dialog box expires            before the viewer makes a selection

Remark

The ViewerIdentification method displays a viewer identification dialogbox with the specified text message. The viewer then can select thedesired viewer from the list of available viewers associated with thehousehold and enter the appropriate PIN for that viewer to identifyhimself. The ViewerIdentification method then returns the name of theviewer selected. The viewer can also press the EXIT key to terminate theviewer identification dialog box without selecting a viewer, or they canlet the dialog box time-out, or enter an invalid PIN. These conditionsare returned in the Status return value. In households where only asingle viewer account has been created, the viewer does not have theoption of selecting among multiple viewers, but must still enter a validPIN. The viewer name returned when the correct PIN is entered isDefault_Viewer.

E-wallet and Buy-Sequence E-Wallet Purchase Syntax[Status]=EwalletPurchase (NumberOfPurchaseOptions, PurchaseOptions,SelectedOption, Buyer, Shipto) Parameters NumberOfPurchaseOptions

-   -   A numeric value that specifies the number of purchase options        contained in the PurchaseOptions array.

PurchaseOptions

-   -   An array of string values that specifies the message text for        each purchase option that is available in the E-wallet purchase        transaction dialog box. The first entry in this array is the        default option displayed.

SelectedOption

-   -   A numeric value that returns the index of purchase option        selected by the viewer from the PurchaseOptions array.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INVALID_PIN—The function failed because the viewer            entered an invalid PIN for the selected viewer        -   FAIL_VIEWER_EXIT—The function failed because the viewer            pressed the EXIT key        -   FAIL_DIALOG_TIMEOUT—The function failed because the time-out            period for the viewer identification dialog box expires            before the viewer makes a selection

Remark

The EwalletPurchase method displays an E-Wallet purchase transactiondialog box with the specified array of purchase options. The viewer thencan select the desired purchase option from the list of availablepurchase options. The EwalletPurchase method then returns the index ofthe viewer selected purchase option, the name of the viewer that isperforming the purchase, and the name of the person to which thepurchase will be shipped. The viewer can also press the EXIT key toterminate the E-Wallet purchase transaction dialog box without selectinga purchase option, or they can let the dialog box time-out, or enter aninvalid PIN. These conditions are returned in the Status return value.In households where only a single viewer account has been created, theviewer does not have the option of selecting among multiple viewers whois performing the purchase, but must still enter a valid PIN. The viewername returned when the correct PIN is entered is Default_Viewer.

Reminders Set Reminder Syntax [Status]=Rem.SetReminder (RelativeDay,TimeOfDay, ReminderMessage, ForUser, ReminderURL) Parameters RelativeDay

-   -   A numeric value that specifies the number of days in the future        at which the reminder is to be triggered.

TimeOfDay

-   -   A numeric value that specifies the time of day on the day        specified by RelativeDay at which the reminder is to be        triggered.

ReminderMessage

-   -   A string value that specifies the message text displayed in the        TV Notice dialog box.

ReminderURL

-   -   A string value that specifies the URL that is accessed when the        viewer selects “Yes” in the TV Notice dialog box.

ForUser

-   -   A string value that specifies the viewer name for whom the        reminder is intended. The viewer name must be one of the viewer        accounts associated with the household.

Status

-   -   The return status value from the SetReminder method. The return        status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INVALID_VIEWER—The function failed because the            specified viewer name is not a valid viewer of the household        -   FAIL_REMINDER_CONFLICT—The function failed because there is            an existing reminder set that conflicts with the specified            time for the requested reminder.

Remark

The SetReminder method sets a reminder for the specified viewer thatdisplays the specified reminder message when the reminder is triggered.The specified URL is displayed if the viewer elects to act on thereminder when it occurs. The reminder is displayed as a TV Notice.

Display TV Notice

This method allows the content provider to simulate a reminder bydirectly displaying the TV Notice dialog box immediately, rather thansetting a reminder and waiting for the reminder to be triggered.

Syntax [Status]=Rem.DisplayTVNotice (NoticeMessage, Notice URL)Parameters NoticeMessage

-   -   A string value that specifies the message text displayed in the        TV Notice dialog box.

NoticeURL

-   -   A string value that specifies the URL that is accessed when the        viewer selects “Yes” in the TV Notice dialog box.

Status

-   -   The return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_INVALID_VIEWER—The function failed because the            specified viewer name is not a valid viewer of the household

Remark

The SetReminder method sets a reminder for the specified viewer thatdisplays the specified reminder message when the reminder is triggered.The specified URL is displayed if the viewer elects to act on thereminder when it occurs. The reminder is displayed as a TV Notice.

Printing Syntax

s[Status]=PrintPage 0

Parameters Status

-   -   The return status value from the DisplayTVNotice method. The        return status value will be one of the following:        -   SUCCESS—The function completed successfully        -   FAIL_FUNCTION_NOT_AUTHORIZED—The function failed because the            function invocation was not authorized by the CA system        -   FAIL_PRINTER_ERROR—The function failed because of an error            on the printer

Remark

The PrintPage method prints the current page displayed on the TV.

1. A computer program product comprising: a computer usable storagemedium having computer executable code embodied therein for managingaccess to an application program interface (API) comprising a pluralityof functions, the computer program product comprising: a first modulefor receiving a message containing code calling a function in the APIassociated with television viewing privileges and an access control list(ACL) indicating API function execution rights of an originator of themessage; a second module for determining whether the ACL indicates thatthe originator of the message has the right to execute the calledfunction associated with television viewing privileges; and a thirdmodule for sending a response to the originator of the messageindicating whether the code successfully called the function in the APIassociated with television viewing privileges.
 2. The computer programproduct of claim 1, wherein the ACL indicating API function executionrights comprises: a value identifying API functions that can be executedby the originator of the message.
 3. The computer program product ofclaim 1, wherein the ACL indicating API function execution rightscomprises: a value restricting the API functions that can be executed bythe originator of the message based on time.
 4. The computer programproduct of claim 1, wherein the function in the API is associated withpay-per-view (PPV) television viewing privileges.
 5. The computerprogram product of claim 1, wherein the function in the API isassociated with determining television viewing privileges of aparticular television viewer of a plurality of television viewers.
 6. Acomputer program product comprising: a computer usable storage mediumhaving computer executable code embodied therein for passing messagesfrom a server to a client, the computer program product comprising: afirst module for receiving a message containing code calling a functionin an API associated with television viewing privileges from the serverintended for the client; a second module for determining permissions ofthe server with respect to the client; a third module for including thedetermined permissions with the message; and a fourth module for passingthe message and the determined permissions to the client.
 7. Thecomputer program product of claim 6, wherein the second modulecomprises: a module for determining an identity of the serveroriginating the message; a module for determining a user agent of theclient; and a module for retrieving the permissions of the server from apermissions table using the determined identity and user agent.
 8. Thecomputer program product of claim 7, wherein the permissions table isstored in a database and the module for retrieving the permissions ofthe server comprises: a module for interfacing with the database toaccess the permissions table.
 9. The computer program product of claim6, wherein the third module comprises: a module for adding a hypertexttransport protocol (HTTP) header specifying the determined permissionsto the message.
 10. The computer program product of claim 6, furthercomprising: a fifth module for scanning the message from the server forpotential security violations.
 11. The computer program product of claim10, further comprising: a sixth module for removing headers identifiedas potential security violations from the message.
 12. A system formanaging access to an application program interface (API) comprising aplurality of functions, comprising: a processor for executing computerprogram code; a computer-readable storage medium storing executablecomputer program code comprising: a first module for receiving a messagecontaining code calling a function in the API associated with televisionviewing privileges and an access control list (ACL) indicating APIfunction execution rights of an originator of the message; a secondmodule for determining whether the ACL indicates that the originator ofthe message has the right to execute the called function associated withtelevision viewing privileges; and a third module for sending a responseto the originator of the message indicating whether the codesuccessfully called the function in the API associated with televisionviewing privileges.
 13. The system of claim 12, wherein the ACLindicating API function execution rights comprises: a value identifyingAPI functions that can be executed by the originator of the message. 14.The system of claim 12, wherein the ACL indicating API functionexecution rights comprises: a value restricting the API functions thatcan be executed by the originator of the message based on time.
 15. Thesystem of claim 12, wherein the function in the API is associated withpay-per-view (PPV) television viewing privileges.
 16. The system ofclaim 12, wherein the function in the API is associated with determiningtelevision viewing privileges of a particular television viewer of aplurality of television viewers.